[ale] Uh-oh, gpg keyrings don't match!

Jim Kinney jim.kinney at gmail.com
Tue Oct 11 07:51:54 EDT 2011


I think Mike nailed it with the backup/restore error.

A restore method I swear by (at) is to always restore to a tmp directory. I
have to do more work to complete things but it means I don't wind up with an
older copy of something important.
On Oct 10, 2011 11:24 PM, "Michael H. Warfield" <mhw at wittsend.com> wrote:

> On Mon, 2011-10-10 at 22:51 -0400, Michael Trausch wrote:
> > On Mon, Oct 10, 2011 at 21:15, Jim Kinney <jim.kinney at gmail.com> wrote:
> > >
> > > Check mtimes and see if you overwrote them. Check mounts and see you
> have something mounted over you. Get ready to test your recovery process.
> >
> > All the file times are different, because I just imported a key so
> > that I could write an encrypted mail.  So, the public keyring was
> > *just* modified, whereas the private one has been the same for a long
> > time.  Unfortunately, it seems that my present dilapidated method of
> > backing things up doesn't preserve the timestamps, so the private ring
> > has a timestamp from when I last backed up/restored it.
> >
> > I have nothing mounted in my $HOME.
> >
> > And this is just plain weird...
>
> Sigh...  Not as weird as you might think.
>
> > Here is the listing for --list-keys and --list-secret (so, public and
> > private, in order):
>
> > mbt at aloe ~/.gnupg $ gpg2 --list-keys 19C59A30
> > pub   1024D/19C59A30 2006-02-15 [expires: 2012-02-09]
> > uid                  Michael B. Trausch <mike at trausch.us>
> > uid                  [jpeg image of size 2663]
> > uid                  Michael B. Trausch <fd0man at gmail.com>
> > uid                  Michael B. Trausch (Educational Address)
> > <fd0man at email.wintu.edu>
> > uid                  Michael B. Trausch (Primary Address)
> > <michael.trausch at gmail.com>
> > uid                  Michael B. Trausch <mbt at zest.trausch.us>
> > sub   4096g/2B4060E1 2011-02-22 [expires: 2012-02-09]
>
> > mbt at aloe ~/.gnupg $ gpg2 --list-secret 19C59A30
> > sec   1024D/19C59A30 2006-02-15 [expires: 2012-02-09]
> > uid                  Michael B. Trausch <mike at trausch.us>
> > uid                  [jpeg image of size 2663]
> > uid                  Michael B. Trausch <fd0man at gmail.com>
> > uid                  Michael B. Trausch (Educational Address)
> > <fd0man at email.wintu.edu>
> > uid                  Michael B. Trausch (Primary Address)
> > <michael.trausch at gmail.com>
> > uid                  Michael B. Trausch <mbt at zest.trausch.us>
> > ssb   4096g/EE066969 2006-02-15 [expires: 2011-02-14]
>
> Ok...  That's interesting that --list-keys doesn't show your expired
> public key though -kv does (from my test on your downloaded key).
>
> Yeah, crap...  Looks like, in the process of backing up and restoring
> keys and what not, you've backed up and restored the secret key to your
> expired encryption key but not the new one.  That can happen any one of
> a number of ways but I would suspect that at one time you backed up your
> old keyrings and then, after generating a new encryption key, restored
> the old keyrings clobbering your secret keys and loosing the active one.
> If you refreshed your public keys from the public key servers (something
> I do quite often to pick up signatures others have given me) it would
> restore your public key to the newer key but not the private key.  And
> there you would be.
>
> You're probably toast.  Unless you have a backup with that private key
> somewhere, you are screwed.  Your only choice is to create a new
> encryption key and revoke that old one you've lost the key to.  Then
> make sure your keyrings are backed up and the old backups discarded.
>
> Personally...  I would take the opportunity right here and now to
> generate a completely new 2048R key (signed by the old key) and be done
> with it.  That's going to expire in a few months anyways.  Bite the
> bullet and just get off the DSS/DSA keys and back onto an RSA key.
> You'll still have signing and encryption keys but they'll all be RSA
> instead of DSA for signing and ElGamal for encryption.
>
> > These are identical, except for the ElGamal encryption subkey.  If
> > memory serves me correctly, I generated the second one to make the
> > expiration date line up with that for the entire remainder of the key.
> >  What I *don't* understand is, how in the world could this have
> > happened?  Obviously one possibility is that I deleted my encryption
> > subkey and regenerated it in February, 2011.  But generating an
> > encryption key is a big deal in my mind and I think I would remember
> > that.  I remember when I originally generated this key, and I remember
> > every time someone has signed the public part of it.  I don't recall
> > regenerating my encryption key, though.
> >
> > Now, I haven't used my encryption key much since I generated it; I
> > received maybe 20 encrypted emails from 2006 to 2008, and maybe 20 in
> > total since then.  And I sent no more than that in those years, as
> > well.
> >
> > For that matter, if I would have generated the new encryption key,
> > wouldn't it have been updated in my private key, too?
> >
> > I need to look through the backups that I have taken throughout the
> > year, but I don't think that I've ever backed up either my ~/.ssh or
> > ~/.gnupg directories in part; I've always done it in full.
> >
> > For that matter, except at the system's console, I can't get into the
> > system without using an SSH key.
> >
> > I guess it is time to step through the backups from the last two years
> > and see what happened and when it changed...
> >
> > Would it be paranoid to think that this is something more than a
> > simple error?  It seems unlikely that (a) I would have regenerated my
> > encryption key more than halfway into my key's useful life without
> > revoking and regenerating the whole bloody key, (b) that I would have
> > forgotten such an event and (c) that gpg had a bug that failed to
> > write to the secret key, doesn't it?
> >
> >    --- Mike
> >
> > >
> > > On Oct 10, 2011 8:11 PM, "Michael Trausch" <mike at trausch.us> wrote:
> > >>
> > >> Don't know what happened, but I have a bad situation.
> > >>
> > >> I have gpg keys, like many here. Somehow, though, my main key set
> (thankfully expiring in a few months!) isn't right.  My signing keys all
> appear to match, but my encryption key is different, and I cannot decrypt
> encrypted mail sent to me.
> > >>
> > >> Can anyone tell me how I might have screwed up so badly?
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>   NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20111011/06f02451/attachment-0001.html 


More information about the Ale mailing list